Banana Republic (and Gap, etc.) Stores Passwords in Plain Text

July 14, 2011 | 1 Minute Read

I was sitting on the subway when I got a random email from Banana Republic that contained my password in plain text. Besides the fact that I hadn’t requested it (lots of Hung Truongs think that they’re me @ gmail), I was surprised because any company that even slightly values security does not store passwords in plain text. It is quite jarring to see a password show up on my iPhone’s home screen. Here’s the email in case anyone needs proof:

The fact that BR stores passwords in plain text means that they’re probably a very nice target for a quick hack (and if they’ve got bad practices in password storage, they probably have holes elsewhere as well). Unlike the Gawker password leak, which had hashed passwords (though they could still be eventually brute-forced), the BR passwords aren’t even obfuscated (or if they are, it’s in an easily reversible way).

If you have a Banana Republic, Gap, Old Navy, Piperlime or Athela account, I highly suggest you change your password to something unique that you don’t use for any other sites (um, just like all your passwords… I totally have different passwords and two-factor security for everything).

I’d also suggest you contact Banana Republic and tell them that their security policies suck. Maybe they’ll fix it if enough people complain. That’d be sad if it took a huge hack and user info disclosure to change their ways.